This is my first post on this site. I've been looking around for a solid networking forum community to join since I got into networking about a year ago (I'm a noob), and this looks like a good fit! Hello to everyone. On to my question:

I have not really set up ASAs nor VPNs on Cisco devices before. I'm currently attempting to configure a remote access VPN between ASA devices, a 5505 and a 5510. The 5510 is meant to be the server and the 5505 is meant to be the easyvpn client. The reason I am opting for remote access as opposed to site to site is that I have many 5505s at remote sites that I will need to configure in the future, and they will be moving around a bit (I would prefer not to have to keep up with the site-to-site configs). The 5510 will not be moving. Both ASA devices are able to ping out to 8.8.8.8 as well as ping each other's public facing IP.

Neither ASA can ping the other ASA's private IP (this part makes sense), and I am unable to SSH from a client on the 5510 side to the 5505's internal (192) interface. I am wondering if anyone more experienced in ASA remote VPNs than myself is able to see anything wrong with my configuration? I have pasted sterilized configs from both ASAs below.

Thanks very much for any assistance, and let me know if anything I've done is a breach of networking-forum protocol!

Are you sure the VPN is actually up? You seem to be missing "vpnclient enable" on your 5505. I also use "vpnclient nem-st-autoconnect" to make it connect automatically.

You can use a few different things to check the status of your VPN: show crypto isakmp sa (Phase 1), show crypto ipsec sa (Phase 2). The "show vpn-sessiondb" command and its parameters can also help you see status of your tunnels.

Mendlar wrote:Are you sure the VPN is actually up? You seem to be missing "vpnclient enable" on your 5505. I also use "vpnclient nem-st-autoconnect" to make it connect automatically.

You can use a few different things to check the status of your VPN: show crypto isakmp sa (Phase 1), show crypto ipsec sa (Phase 2). The "show vpn-sessiondb" command and its parameters can also help you see status of your tunnels.

Hrm, good point. I didn't even notice that, I feel silly. Up until now, the tunnel was not up: sh crypto isakmp sa and ipsec sa both designated that there there are no current sas. Ill go enable it and update. Thanks very much!